Cyber coverage lags risk awareness in Asia-Pacific

SINGAPORE — Cyber risk insurance is still in its infancy in much of the Asia-Pacific market, but companies in the region face some significant cyber exposures.

While there are few, if any, laws in Asian countries that specifically address cyber breaches and impose breach response requirements on companies, risk managers need to be concerned about cyber threats, experts say.

Damage to reputation and loss of revenue can result from cyber attacks and breaches, and those risks are major concerns to senior executives and boards of directors, speakers said during sessions at the annual Pan-Asia Risk and Insurance Management Association conference in Singapore this week.

Still, few companies in the region buy specialized coverage to address cyber risks.

Although there is about $2 billion in cyber risk premium written by insurers worldwide, most of it is written in North America, followed by Europe, said Mark T. Lingafelter, managing director at QBE Asia Pacific in Singapore, a unit of QBE Insurance Group Ltd. Only about $5 million of QBE's premium comes from cyber risk policies written in Asia, he said.

AIG, which writes about $200 million in cyber risk premium globally, writes only about $20 million in Asia, said Rudi H. Spaan, president and CEO of AIG Insurance Hong Kong Ltd., a unit of American International Group Inc.

Cyber insurance is in its infancy in Australia too, said Jason Disborough, CEO of multinational clients at Aon Risk Solutions in Brisbane, Australia. Aon places about $2.3 billion in property/casualty insurance premiums in Australia, but only about $15 million of that is related to cyber insurance, he said.

However, cyber is a fast-growing line of business, and corporate boards in Australia are more frequently directing companies to look into buying cyber insurance coverage, he said.

“Some are buying a lot of capacity now in case insurers pull back coverage when losses happen,” he said. The Australian government recently announced that data breach notification legislation, scheduled to be in place in 2015, will be delayed,.

While countries in the Asia-Pacific region have few laws that directly impose potential cyber-related liabilities on companies operating in the region, risk managers and their organizations face significant cyber risks, those liabilities will accelerate as governments pass cyber legislation, several speakers at the conference said.

Nonphysical-damage business interruption risks are major threats to companies, said Peter Hacker, a global advisory executive at Distinction Global, a unit of the Cybercrime Research Institute GmbH in Cologne, Germany.

Traditional business interruption policies respond to only disruption caused by physical damage to property. However, hacking incidents can lead to significant disruptions in business, he said.

In relation to cyber risks, “we used to think about privacy, but now we have to think about loss of revenue. The CEO and CFO's major concern is reputation and loss of revenue,” Mr. Hacker said.

“Boards are more and more asking about what risk management and insurance can do. They want to know how it's relevant to their needs,” he said.

In addition, as a legal framework around cyber develops, companies should consider how they will cover potential fines related to cyber breaches, Mr. Hacker said. “Can you insure the payments? In some jurisdictions, it can't be covered by insurance.”